Tuesday, December 17, 2013

A new public key infrastructure was deployed on Windows Server 2012 R2 consisting of two certificate authorities. For security reasons and to adhere to Microsoft best practice, we deployed a new stand alone offline certificate authority and a subordinate enterprise certificate authority which is Active Directory integrated and will be responsible for issuing certificates to all devices, users and service accounts on the domain.

The following image is an overview of the deployed solution.

When I setup the subordinate certificate authority, I issued a certificate to the subordinate from the root certificate authority to validate its identity and authorise it to issue certificates on behalf of the root. Only after I issued this certificate, I found out the default issuing time for certificates on stand alone certificate authorities in Windows Server 2012 R2 is only 1 year. This period of time is far to small for a certificate that is assigned to another certificate authority.

As a result we increased the time that the root certificate authority issues certificates for which was performed with the following command:

certutil -setreg ca\ValidityPeriodUnits "10"

This changed it from 1 year to 10 years.
We then issued a new certificate from the root authority to the subordinate certificate authority for the 10 year period.

The ProblemAfter issuing a new certificate to the subordinate certificate authority I realised the subordinate certificate authority is pushing out the new 10 year certificate to the intermediate certificate store on workstations as well as the old 1 year certificate. This is shown in the following screenshot below on a domain member machine. The two certificates highlighted were old certificates which use to be assigned to the enterprise subordinate certificate authority. There are two because we issued two (we forgot to restart the certificate authority service on the root CA after running the certutil command above to extend the validity period so we had to repeat the process).

I don't want the Active Directory certificate authority pushing out these invalid certificates to all domain joined devices.

How to Remove Certificates from Active Directory DeploymentTo remove certificates from Active Directory deployment, you must open an application called pkiview.msc on an Enterprise Certificate Authority.

Right click Enterprise PKI and select Managed AD Containers.

Enterprise root certificate authorities are located in the "Certification Authorities Container" tab and enterprise subordinate certificate authorities are located under the "NTAuthCertificates" and "AIA Container" tab. View the certificates by looking at expiry date or thumb print to ensure you find the correct certificate. Remove the unwanted certificates which are no longer required by your workstations.

After removing the unwanted certificates performing a gpupdate /force on a domain member automatically removes the unwanted certificates from the intermediate store and root store. This is shown in the following screenshot taken of the computers certificate store in a mmc snapin.

A big thankyou to River Mei from Microsoft who assisted me with this issue.

If you are a regular follower of my blog, you will have noticed I have been writing about different problems you may experience whilst in co-existence between Exchange 2003 and Exchange 2010 using Routing Group Connectors. Previously I wrote about error "There is currently no route to the mailbox database" and how to overcome it which can be found on the following page:

Today we are going to look at another issue using Routing Group Connectors

The mailbox recipient does not have a mailbox database.

This error can too be viewed using the "Get-Message | fl" command by looking at the last error attribute.

As before, we have a valid routing group connector between a single Exchange 2010 and Exchange 2003 server setup correctly:

However mail is not passing between the servers for select users only!

ResolutionWhen installing Exchange 2010 into an existing Exchange 2003 organisation, the Exchange 2010 infrastructure has a new list of security groups it creates to assign permissions over Active Directory objects. These permissions extend over user account objects to Active Directory configuration partition exchange related objects.The error message "The mailbox recipient does not have a mailbox database" is being shown because Exchange 2010 does not have permissions to see the user account in Active Directory. It does not know the Exchange 2003 legacy mailbox exists and the Exchange 2010 server definitely does not have the mailbox hence it is complaining that the recipient has no mailbox database!This can happen when user accounts have broken inheritance in Active Directory. To fix this, open Active Directory Users and Computers, find the user account in question and navigate to the account properties. Under security, advanced make sure that inheritance is enabled for the user in question. This ensures the Exchange 2010 environment has access to the user object and can see that it is a mailbox.

Note: If you cannot see the security tab on the user account in Active Directory, you will need to enable Advanced Features from the view menu.

Monday, December 16, 2013

When setting up a Websense V5000 G2 appliance 7.8.1, in Gateway Manager I enabled integrated Windows Authentication, joined the appliance to the domain then enabled SOCKS. After making these changes, when navigating to websites from clients the following error was experienced:

internal error - server connection terminated

The Internal Error generally occurs when SOCKS has been enabled but not configured. After disabling SOCKS in the Websense Gateway Manager interface, the issue was resolved.

Friday, December 13, 2013

When performing an Exchange 2003 to Exchange 2010 migration, mail flowing between the two servers using a routing group connector was not working. When relaying an email to the Exchange 2010 server for a user mailbox residing on Exchange 2003, the email would simply sit in the queue and not send.

The following error was experienced:

There is currently no route to the mailbox database

This can be seen in the message log with "Get-Message | fl"

The messages simply sat in the Unreachable queue on the Exchange 2010 server.

This error generally means no routing group connector was made between the two servers. However I confirmed the routing group connector was created by Exchange Setup automatically.

Next I removed these routing groups and recreated them with new ones through PowerShell:

After recreating the routing group connectors you must restart the "Simple Mail Transfer Protocol" service on Exchange 2003 and the "Microsoft Exchange Transport" service on Exchange 2010.

This still did not resolve the problem.

Resolution

Next I started checking permissions of Exchange container objects in the configuration partition within Active Directory against a default install of Exchange 2003 in a test lab. I noticed that permissions on the Exchange 2003 object in Active Directory was no longer inheriting from the Administrative Group/Servers Container.

After re-enabling inheritance using ADSI Edit over the Exchange 2003 server object, this resolved the issue.

Sunday, December 1, 2013

Out With the Old In With the New
If you exchange data regularly with colleagues, business partners and clients, which probably describes all of us, then no doubt you will have at some point considered the risks to that data being leaked or compromised in some way. This will have led you to investigate encryption as a tool to safeguard both you and your recipient’s data. Many of you might have elected not to proceed with an encryption solution because of the burden this would place on normal business practices. Well if that’s you, it’s time you looked again. This year’s winner of the UK IT Industries Cloud Provider of the Year, Egress Software Technologies, have an email encryption product called Switch that just might have the answer.

Sending Secure Emails
This can be done via either a desktop app, smartphone/tablet app or web interface, or if you are a Microsoft Outlook or Lotus Notes user from within your email client. Plus you don’t need to worry whether your recipient is a current user of Switch or has even heard of it. We are running this demonstration on a MacBook Pro using OS X version 10.7.5.

Fig. 1 Welcome Screen

From the “Welcome” screen (Fig. 1) you can choose to create a package, create a secure message or view the packages you have created earlier. Creating a package is the term used here that describes how you can wrap encryption around any form of data to be exchanged by USB stick, CD ROM, FTP file transfer or DVD.

However since we are talking about secure email let’s look more closely at that aspect of this product.

On clicking the “Create Message” icon your browser will be opened at Egress’s web mail page where you can compose your email and add attachments as required (Fig. 2). If you are using a Windows PC it will integrate with either Microsoft Outlook or Lotus Notes if available.

Fig. 2 Secure Email

Clicking “Send Secure” will automatically encrypt and send your email to your recipient, you will get a confirmation screen (Fig. 3). It couldn’t be easier!

Fig. 3 Confirmation Screen

Your recipient will receive an email as shown in Fig. 4.

Fig. 4 Secure Email Arrives

It is no problem if your recipient has never used Switch before, they will most likely click on the “read this secure email” link, which will take them to the account sign in screen (Fig. 5) where they can create a free Switch account for themselves.

Fig. 5 Sign In Screen

Once you have created an account and signed in you will have automatic access to the decrypted email and attachment (Fig. 6)

Fig. 6 Decrypted Email

From here you can obviously read the email and any attachment, but and this is where it gets quite cleaver, both the email and attachment are “water-marked” with the recipients email address. This extra layer of protection is designed to encourage users not to share the contents of your email with others without your permission. The copying of and attachment has been made more difficult by making the contents appear opaque when the window in which they appear is no longer the focus (Fig. 7).

Fig. 7 Opaque Content

Should the user try to forward this email securely to someone else they will not be able to open it even if they have a Switch account in their name unless you have added them to the list of approved recipients of this email. Does that make sense? In other words you keep control of where your data can be viewed. This makes Switch so much more than just a secure email product. You can even time when access is to be granted.

How Secure Is Switch?
Switch offers pretty strong encryption, using AES at 256 bits and coming with a stamp of approval from CESG and FIPS, you can be assured that the algorithm has been properly implemented. And since each communication is encrypted with fresh keys any possible future breach would effect only the single communication not previous ones or future ones. Hopefully I told you enough for you to go and take a look for yourselves.

About Andy CampbellAndy Campbell has over 40 years experience in the computer business, 20 of those years were spent at Reflex Magnetics Ltd a UK developer of security software. As managing director he was instrumental in forging a close relationship with the MoD and CESG, Reflex's Disknet and Data Vault products being used extensively by both the UK's armed forces and NATO. More recently he has been involved as a director and investor in Reflect Digital a web marketing agency.